OpenSSL¶
Basic stuff¶
Check a certificate
openssl x509 -in <cert_file> -noout
Show a certificates properties
openssl x509 -in <cert_file> -noout -text
Show expiry date of cert
openssl x509 -in <cert_file> -noout -enddate
Generate a certificate request (CSR)
openssl req -new -newkey rsa:1024 -nodes -keyout key.pem -out cert.pem
Generate CSR with existing key
openssl req -new -key key.pem -out cert.pem
Generate a self signed cert
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem
Check a private key
openssl rsa -in <key_file> -check
Check that private key matches certificate (both hashes must match)
openssl rsa -noout -modulus -in /etc/pki/tls/private/my-private.key | openssl sha512
openssl x509 -noout -modulus -in /etc/pki/tls/certs/my-cert.pem | openssl sha512
Check cert signature with CA cert
openssl verify -CAfile ca.pem client.pem
Remove password from a private key
openssl rsa -in <key_file> -out <key_file>
Test an SSL port
openssl s_client -connect localhost:443 -state -debug
GET / HTTP/1.0
Convert PFX (IIS) to PEM
openssl pkcs12 -in mycert.pfx -out mycert.pem
View the details of a certificate revocation list (CRL)
openssl crl -in filename.crl -noout -text
Verify a cert and check crl
openssl verify -crl_check -CApath /etc/ssl/certs cert.pem
Build your own CA¶
openssl genrsa -aes256 -out ca.key 4096
openssl req -x509 -new -key ca.key -days 1825 -out ca-root.crt -sha512
Create a new key and certificate signing request
openssl genrsa -aes256 -out client.key 4096
openssl req -new -key client.key -out client.csr
Sign the CSR
openssl x509 -req -days 365 -in client.csr -CA ca-root.crt -CAkey ca.key -CAcreateserial -out client.crt
Usage of CA.pl¶
Build your own CA
/usr/lib/ssl/misc/CA.pl -newca
on Arch Linux /etc/ssl/misc/CA.pl
Create a new certificate
/usr/lib/ssl/misc/CA.pl -newcert
Sign a certificate
/usr/lib/ssl/misc/CA.pl -sign
More CA stuff¶
Create a Certificate Revocation List (CRL)
openssl ca -gencrl -keyfile ca_key -cert ca_crt -out my_crl.pem
Revoke a certificate
openssl ca -revoke bad_crt_file -keyfile ca_key -cert ca_crt
openssl crl -in crl_file -noout -text
Java keystore¶
How to convert a PEM cert and RSA key to PKCS12 and import it into a java keystore
openssl pkcs12 -export -in mycert.pem -inkey my.key -out mycert.pkcs12
keytool -importkeystore -deststorepass mypassword -destkeystore keystore.jks -srckeystore mycert.pkcs12 -srcstorepass mypassword
add -ext san=dns:www.example.com for alternative names
Generate random bytes¶
openssl rand <nr_of_bytes>